We have systems in a DMZ that need to be managed, how can a single instance of RED IM handle that?

There are many options to managing DMZ based systems or those in a secured network segment. The most typical option is to deploy a zone processor in the secured segment. The zone processor will help limit the scope of management traffic to that of just the secured network and require only a single outbound connection from the zone processor to the central database server on a single port. This connection can be further protected by enabling SSL/TLS on the database host and using the proper database provider on the zone processor host.

Additionally, you may choose to implement additional transport and session layer protections for all network communications such as IPSec with ESP and/or AH to encrypt all communications to and from the server and/or help prevent various MITM or replay attacks.